Author Archive - Jonathan Leopando (Technical Communications)

Microsoft has released an out-of-band security bulletin (MS14-068) that addresses a vulnerability in the implementation of Kerberos in various versions of Windows. The bulletin states that this vulnerability is already being used in “limited, targeted attacks”. This warning, plus the fact that Microsoft considered this threat serious enough to merit an out-of-cycle patch, should make users consider patching as soon as possible.

Kerberos is a protocol used to authenticate users within a network. This vulnerability (designated as CVE-2014-6324) could allow an attacker to escalate privileges to that of a domain administrator; this could then be used to compromise any system connected to that domain, including domain servers.

This is a serious flaw which lends itself to usage in targeted attacks. An attacker will have to use separate means to penetrate a network, but once inside this vulnerability could be used to compromise any machine connected to the organization’s domain server (effectively, all machines).

Used properly, this vulnerability is as effective a tool for moving laterally within an organization as is known today. No workaround or mitigation has been clearly identified by Microsoft (aside from patching the vulnerability); the only requirement for a successful attack is for the attacker to already have valid domain credentials. For an attacker that has already penetrated existing networks, this hardly represents a barrier.

The damage an attacker could do if an organization’s domain server was compromised could be significant. In a worst case scenario, the entire domain would have to be rebuilt from the ground up, which would be extremely costly in time and resources for any organization.

Microsoft itself suggests that this attack has been used in targeted attacks saying that they “are aware of limited, targeted attacks that attempt to exploit this vulnerability.” With knowledge that a vulnerability exists, and information provided by the patch, we can expect to see more attacks that target this flaw in the future.

Microsoft has disclosed that a new zero-day vulnerability is present in Windows, and is exploited via Microsoft Office files. According to Microsoft Security Advistory 3010060, the vulnerability is present in all supported versions of Windows except Windows Server 2003.

The vulnerability (designated as CVE-2014-6352) is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack.

The specially crafted files contain a malicious Object Linking and Embedding (OLE) object. This technology is used to share data between various applications; it is in this component of Windows where this vulnerability may be found. Exploiting it allows for malicious code to run with the privileges of the user. To get administrator access, a separate exploit must be used. In addition, under default settings a User Access Control popup is displayed, which may alert the user that something unusual is going on.

Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle. Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand. The Microsoft bulletin also includes several workarounds and temporary fixes, including settings for users of the Enhanced Mitigation Experience Toolkit (EMET) utility.

Update as of October 24, 2014, 7:30 P.M. PDT

Currently available information suggests that this vulnerability is essentially identical to the Sandworm vulnerability, which was reported and patched more than a week ago. The patch first put in place by Microsoft did not completely resolve the problem, allowing new exploits to target the same underlying flaw.

Deep Security solutions that protect against Sandworm also protect against these more recent attacks. The following DPI rules cover these threats:

Home Depot has confirmed via their corporate website that their payment systems were breached. This followed reports last week, which suggested that Russian and Ukrainian cybercriminals had successfully breached the Atlanta-based retailer’s PoS terminals.

The statement offered full details, but suggested the breach affected users who shopped at their US and Canadian branches from April onwards. Home Depot’s investigation began on September 2, which indicates a worse-case scenario of a breach of four to five months. It has been claimed that up the information of up to 60 million cards may have been stolen.

Speculation suggests that the Home Depot attack was carried out using BlackPOS malware; a BlackPOS variant discussed by Trend Micro researchers in late August may have been part of this attack, as the behavior we found with this variant and those ascribed to the Home Depot attack are very similar.

This particular BlackPOS variant is different in several ways from more common variants, suggesting that the code has been changed significantly since the source code for BlackPOS was leaked in 2012. A different API call is made to list processes which can be targeted for information theft; in addition custom search routines for credit card track information have been introduced as well. This particular variant is detected as TSPY_MEMLOG.A.

These increasingly sophisticated threats make it clear that PoS malware is becoming a bigger and bigger threat. Continued attacks against PoS systems will not only cause financial losses, but also reduce the confidence of consumers in existing commerce systems.

Migrating to more modern “chip-and-personal identification number (PIN)” cards and terminals may help reduce the risk down the road. Also, it is good for users to regularly check their bank statements for any anomalous transaction. Going over the recent transactions on a regular basis should allow users to spot and dispute fraudulent transactions made on their cards.

Later this week, we will publish a paper outlining existing threats to PoS systems. System administrators of organizations that are at potential risk can use the information in these papers to detect, mitigate, and address these attacks. Our earlier paper titled Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries provided examples of potential PoS threats to retailers and companies in the hospitality sector.

Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

It is also being reported in the press that some security vendors called this malware (TSPY_MEMLOG.A.) as “FrameworkPOS.” This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.

The devices at these IP addresses are vulnerable to being taken over by attackers due to an open port on the external side of the router; accessing this port and entering a fixed password (which is hard-coded in the firmware) allows an attacker to gain access and completely compromise the user’s network.

On a positive note, the numbers of affected devices (around 1.35 million) is down significantly from the numbers we found initially (more than 2 million). The biggest fall was from August 31 to September 1, with more than 430,000 IP addresses no longer responding to ShadowServer’s probes.

We wish to reiterate that in the absence of firmware updates, there is no effective way of mitigating this vulnerability for most users. While the number of vulnerable devices has gone down significantly, 1.35 million devices is still a large number of devices and users at risk. Netscore/Netis has not yet gotten back to us, and we are unaware of any patched firmware versions that have been released.

We would like to thank ShadowServer for providing this service to the Internet at large and helping protect individual users. This kind of cooperation between researchers is invaluable in helping deal with emerging threats, as different parties can each bring something valuable and work together towards common goals.

The topic of open Wi-Fi and public hotspots has been in the news again, for several reasons. Last month, the Electronic Frontier Foundation launched OpenWireless.org, a project to create router firmware that would provide open wireless access to anyone in range of the user’s router.

Notionally, in addition to providing Internet access to everyone who needs it, it would make everyone’s Internet more private by removing the connection between one’s identity and IP address, since anyone could be using the open Wi-Fi to gain access. This would make surveillance and tracking based on the IP address unreliable.

Well-intentioned as this may be, people actually running this is not a good idea. Let’s assume that this can be done in such a way that your private network traffic is segregated from the open Wi-Fi traffic. Your own network traffic would not be at risk of exposure, but that’s not the only risk.

What goes out on your Internet connection ISP is your responsibility. You’re likely to end up in legal hot water if illegal behavior is carried out via your IP address. The potential for abuse is extremely high. High bandwidth usage by “guests” can also eat up your data cap, resulting in either a throttled connection or a large bandwidth bill at the end of the month.

Similar initiatives have been tried in other countries by projects like RedLibre and Guifi (both in Spain). However, the adoption of these has been rather limited. The implementation of these projects may have differed, but ultimately the risks are enough to deter users from participating in them, no matter how well-intentioned.

The other story that’s put public Wi-Fi in the news was Comcast Internet turning the modems of 50,000 subscribers into residential Wi-Fi hotspots. This hotspot would be separate from any Wi-Fi network the user established, and would be for the use of all Comcast subscribers. Before someone could log into this public hotspot, they would have to enter their Comcast username and password.

Other ISPs are bound to come up with similar public Wi-Fi hotspots. Two questions come to mind here. If I am a subscriber, should I opt out my network of this? Is it safe to log onto these public hotspots? Let’s deal with the first one.

In theory, the risks to users are far less in this scenario than with a purely open Wi-Fi scenario. Any data consumed by this access point does not count against the user’s data cap. Abuse of the hotspot is something that would be the responsibility of the ISP, not you. So, there’s no risk, right?

Not exactly. From a technical perspective, the biggest problem would be the separation of the hotspot’s traffic from your own. Unfortunately, wireless routers don’t have a good track record when it comes to software vulnerabilities. The existence of a vulnerability that exposes your network can’t be ruled out.

The real risk for is for people who want to use these hotspots. The above risk of vulnerable firmware applies to would-be users, too: it’s entirely possible that the network traffic of guests could be exposed to an attacker running a malicious version of the router firmware. It’s an inherent risk of connecting to a network that you may not completely trust.

Another risk is it enables other attacks that put your ISP credentials at risk. As some tech sites have noted, it is very easy to set up a fake hotspot with the same Service Set Identifier (SSID) as that used by the public hotspots offered by ISPs. Since these public hotspots use a captive portal to ask for your ISP’s credentials (to validate that you are a customer), an attacker can create a fake version of that portal to steal the ISP login credentials.

Until a better technical situation for open Wi-Fi becomes available, users will have to be careful in dealing with situations like this. An earlier blog post of ours also discussed using open Wi-Fi safely, with the use of virtual private networks (VPNs) being the most important tip there. Meanwhile, running one of these open wireless networks, given all the possible risks, is not a very good idea.

Posted in Mobile | Comments Off on Dealing With Open Wi-Fi and Public Hotspots